Comments (2)
It's obvious the problem with ristretto not being canonical goes both ways. I therefore pulled out all public key migration code without separating anything in 024bc92 but I put the code in https://github.com/w3f/schnorrkel/tree/master/iffy/migration_from_ed25519/src from which someone can make a migration crate that warns about permitting two different migration crates to exist.
from schnorrkel.
We should understand how this creates insecurity:
ristretto was roughly described by Mike Hamburg in section 7 on page 13 of his Decaf paper, but that does not explain the shortcoming.
According to https://ristretto.group/details/index.html ristretto use an encoding of a Jacobi quartic like in section 4 of the Decaf paper, but with a different isogeny so the explicit formulas for ristretto differ slightly from those given in appendix A.1.
If I understand, the decoding algorithm still works if one chooses another branch of the inverse square root, but these give equivalent resulting ristretto points.
In consequence, if you export an ed25519 public key from ristretto then implementations may export different keys. In particular, users might be unable to access funds from a particular wallet.
I do not know if merely importing an ed25519 key into ristretto creates problems, but the decaf paper's encodings do not restrict to specific points, so they should support importing keys. I'm unsure if ristretto does anything more aggressive here, but presumably no.
There are three changes listed in on page 3 of the Decaf paper: equality, compression, and decompression. We clearly need the decaf compression anytime we hash points in a schnorr proof. Are decaf equality and compression as "hashing form points" really compatible with an ed25519 wire format from which you import keys whenever using them?
I think so, but these compression and decompression operations have non-trivial cost, and the decaf and ristretto ones have similar costs to the ordinary ed2559 ones, so if algorithms cache points correctly then doing this roughly doubles these costs for both proovers and verifiers.
Anyways, I still believe these modules should be extracted into another "ed25519-ristretto-migration" crate, which itself contains a scary warning against exporting keys, or simply removes that functionality.
from schnorrkel.
Related Issues (20)
- Version 0.9.2 breaks semver HOT 6
- `getrandom` feature should enable `rand_core/getrandom` HOT 9
- PublicKey incompatible with serde_json HOT 5
- Implement Schnorr half aggregation HOT 1
- Keypair::vrf_sign ignores (partially) passed RNG HOT 6
- ThinVRF HOT 3
- Remove serde? HOT 4
- Is soft public key derive ready for production usage? HOT 3
- failed to verify signatures generated by `polkadot-js` HOT 10
- What Is The Signing Context For? HOT 4
- How to use musig? HOT 2
- Adopt the new secret key interface HOT 1
- Verify schnorrkel vrf on EVM HOT 1
- Build fails: `rand_core` doesn't have feature `nightly` HOT 2
- Add rand back HOT 2
- The code compile Error from_bits not found HOT 3
- Update from curve25519-dalek 4.0.0-rc2 to 4.0.0 and release 0.11 HOT 3
- Fix aead
- v0.11 doesn't compile in no-std mode HOT 2
- Broken `no_std` because of `rand/std_rng` HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from schnorrkel.